23/4/2001ldap overview - hepix - lal 2001 ldap overview hepix – lal apr. 2001 michel jouvin...
TRANSCRIPT
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP Overview
HEPix – LAL Apr. 2001Michel Jouvin
23/4/2001 LDAP Overview - HEPix - LAL 2001
Outline
• LDAP : What is it ?
• X500– A short history– Information model and naming
• LDAP– A short history– Search operation and filters– Access Control
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP : What Is It ?
• Lightweight Directory Access Protocol– An access protocol– Originally designed for X500 access
• Built on X500 paradigm– Data abstraction– Entry hierarchical naming
• Don’t specify server-side
23/4/2001 LDAP Overview - HEPix - LAL 2001
X500 : Historical Milestones…
• 1984 : Start of design as OSI directory app– Driven by CCITT
• 1988 : X500 v1– Hierarchical organization and naming of data– Client/Server model
• Client/Server protocol : DAP
• Server/Server protocol : DSP
– X509 v1 : authentication based on asymmetric encryption
23/4/2001 LDAP Overview - HEPix - LAL 2001
… X500 : Historical Milestones
• 1993 : X500 v2– Addition of replication (shadowing) : DISP
• 1997 : X500 v3– X509 v3 : extension of X509 for certificates
• 2001 : X500 v4– X509 v4 : Enhanced handling of certificates
and privilege management architecture
23/4/2001 LDAP Overview - HEPix - LAL 2001
Information Model…
• Directory object = Entry– Defined by its attributes– Belong to an object class
• Attributes : describe an entry characteristics– Type/value pairs– Type : define a syntax– Matching rules defined for each type– Support for multi-valued attributes
23/4/2001 LDAP Overview - HEPix - LAL 2001
… Information Model
• Object Class– Defines a set of allowed/mandatory attributes– Inheritance (multiple) between object class
• Schema : set of object classes for 1 purpose– Can restrict allowed attributes/syntaxes– Several standard schemas proposed
• inetOrgPerson schema : to represent person
• Java Schema : to represent Java object in LDAP
23/4/2001 LDAP Overview - HEPix - LAL 2001
X500 Naming : DIT and DN…
C=US
OU=LAL
O=IN2P3 O=CEA
C=FR O=HEP
OU=CC
CN=Jouvin
RDN=IN2P3
RDN=LAL
RDN=Jouvin
RDN=FR
23/4/2001 LDAP Overview - HEPix - LAL 2001
…X500 Naming : DIT and DN
• RDN : Relative Distinguished Name– Unique value for each entry at one DIT level– Built from attributes value of an entry
• DN : Distinguished Named– Concatenation of all RDNs from root– Unique name of an entry in the DIT
• Cn=Jouvin, OU=LAL, O=IN2P3, C=FR
• Alias : alternative designation for a DN
23/4/2001 LDAP Overview - HEPix - LAL 2001
X500 Strengths…
• One DIT distributed on several servers– Ability to build a world-wide directory– Knowledge about information location is inside
the directory– No need for the client to know every server
• Inter server protocol (DSP)– Chaining of request : transparent to the client,
initial security level preserved– Referrals : server to contact is returned
23/4/2001 LDAP Overview - HEPix - LAL 2001
… X500 Strengths
• Not bound to any particular data type• Optimized for read/search operation• Several authentication/security levels
– Anonymous– Simple via clear text passwords– Strong via encryption/certificates
• Certificates/public key distribution (X509)• Shadowing protocol (DISP)
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP History…
• Started at the end of 80’s at U. of Michigan– Small subset of DAP for search/retrieval– Use of TCP/IP instead of OSI
• 1993 : LDAP v2 (RFC 1487/1488)– Access protocol for X500 directories
• Based on X500 information model
– Attributes represented as string• Rules for encoding defined for each type
– Authentication : anonymous or plain text
23/4/2001 LDAP Overview - HEPix - LAL 2001
… LDAP History
• 1997 : LDAP v3 (RFC 2251-2256)– Still based on X500 information model– Allow for standalone LDAP server
• Introduction referrals
– No inter-server protocol like DSP• Shadowing not defined (proprietary solutions)
– Rules for standard operation extensions– Authentication through SSL/TLS– LDAP URLs
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP Search Operations
• Very Powerful - One of LDAP strengths
• Can search one level or a subtree– Limit possible on number of entries returned,
time spent to search entries…
• Selection of returned attributes– Ex : cn , telephoneNumber
• Selection of entries through filters– Interpreted according to type matching rules
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP Search Filters
• =, <=, >= cn=Jouvin
• Substring match : * cn=Jouvin*
• Attr. presence : * telephoneNumber=*
• Approximate (similar sound) : ~=– cn~=Jouvin will match Jouvin and Jouvain
– Several algorithms available
• Relational operators : !, &, |– (&(cn=Jouvin)(c=fr))
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP Access Control Model
• Access to an entry controlled by ACLs– One ACL entry : ACI (Access Control Info)
• Can specify access to one attribute (compare to pwd)
– Stored in a multi-valued attribute : ldapACI– Unordered interpretation– At each level of the DIT– Managed through standard operations on attributes
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP ACI Structure
• Each ldapACI combines– Subject : “user” identification
• Combination of a DN and an authentication level
– Rights • grant or deny
• Permissions : add, modify, delete, read, search, compare, write…
– Scope : one level or subtree– Attribute the ACI applies to or [entry]
23/4/2001 LDAP Overview - HEPix - LAL 2001
LDAP ACI Examples
• A group may read, search compare an attribute in a subtreeldapAci: subtree#grant:r,s,c#OID.attr1#
group:cn=Atlas,ou=lal,o=in2p3,c=fr
• SysAdmins role can add entry in subtree and but only compare attribute attr2ldapACI: subtree#grant: a#[entry]#
role:cn=SysAdmins,ou=lal,o=in2p3,c=fr
ldapACI: subtree#grant:c#OID.attr2# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr
23/4/2001 LDAP Overview - HEPix - LAL 2001
How to locate an LDAP server ?
• A client should know only one server– Knowledge must be “served”– Not one standard agreed upon
• Knowledge inside LDAP server– Based on use of referrals– Not well standardize for superior references
• Use DNS SRV records– Approach used by Microsoft in ActiveDirectory
23/4/2001 LDAP Overview - HEPix - LAL 2001
Who Speaks LDAP ? (server)
• Almost any distributed directory– X500 (93 and +)– Microsoft ActiveDirectory (W2000)– Novel NDS
• Standalone LDAP servers– Netscape iPlanet– OpenLDAP : OSS successor to Univ. of Michigan– PMDF…
23/4/2001 LDAP Overview - HEPix - LAL 2001
Who Speaks LDAP ? (Clients)
• Almost any mail clients– 1 popular client still v2 : Pine
• Web browsers– LDAP URLs– Through servlets in PHP, Java, Perl…
• PGP clients– Public/private keys
23/4/2001 LDAP Overview - HEPix - LAL 2001
Issues with Standalone LDAP
• No chaining, referrals only in v3– Popular mail clients like Pine or Netscape < 4.7 are v2
– Knowledge about servers inside the v2 client : difficult to maintain when infrastructure changes
• Request routing between servers– No standard on how to locate a server
• No shadowing protocol– Proprietary solutions
• generally based on SLURPD from Univ. of Michigan